On Thursday 22 November 2001 08.59, Alain Fauconnet wrote:
> Apart for a few segmentation violations lately, it's been fairly
> stable *EXCEPT* for a recurrent problem: from once a week to several
> times per day, it would "stop listening" to its port (3128) for a
> length of time ranging from 1 to 15 minutes. It means that a telnet to
> this port does *NOT* get connection refused, but the connection
> doesn't establish either. It stops to "Trying...". Tcpdump shows the
> SYN packet coming, then nothing else.
Smells like your connection backlog queue is filled by some junk which does
not get out of there..
Try increasing the SYN backlog queue.
echo NNN >/proc/sys/net/ipv4/tcp_max_syn_backlog
It could also help enabling the SYN flood defender mechanisms such as
syncookies in the kernel..
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
A reliable way to diagnose if the SYN backlog is the problem is to not make
the above changes and instead set up a second http_port. If Squid still
accepts new connections on this second port when there is problems with the
first then your problem is with 100% certainty the SYN backlog queue, and the
above mechanisms (prefereably in combination) will solve your problem.
-- MARA Systems AB Giving you basic free Squid support Priority support or Squid enhancements available on requestReceived on Thu Nov 22 2001 - 02:13:46 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:04:25 MST